Privacy Policy

1. Privacy at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data by which you can be personally identified. For detailed information on the subject of data protection, please refer to our privacy policy below.

Data Collection on This Website

Who is responsible for data collection on this website?
Data processing on this website is carried out by the website operator. You can find the operator’s contact details in the “Data Controller” section of this privacy policy.

How do we collect your data?
Your data is collected in part by you providing it to us — for example, data you enter into an order form. Other data is collected automatically or with your consent when you visit the website by our IT systems. This primarily includes technical data (e.g. browser type, operating system, or time of page access).

2. Data Controller

The controller responsible for data processing on this website is:

Norman Voellings
TIAGO LEONE
Urbanização Quinta da Torre 20
8365-184 Armação de Pêra, Portugal

Phone: +351 927 483 323
Email: kontakt@tiagoleone.de

The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data (e.g. names, email addresses, etc.).

3. Your Rights as a Data Subject

You have the following rights:

  • Right of access (Art. 15 GDPR): You may request information about your personal data processed by us.
  • Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR): You may request the deletion of your data, provided no statutory retention obligations apply.
  • Right to restriction of processing (Art. 18 GDPR): You may request the restriction of the processing of your data.
  • Right to data portability (Art. 20 GDPR): You may request to receive your data in a machine-readable format.
  • Right to object (Art. 21 GDPR): You may object to the processing of your data at any time.
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR): You may lodge a complaint with a data protection supervisory authority.

To exercise any of these rights, an informal email to kontakt@tiagoleone.de is sufficient.

4. Data Collection on This Website

Server Log Files

The provider of these pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:

  • Browser type and version
  • Operating system
  • Referrer URL
  • Hostname of the accessing computer
  • Time of the server request
  • IP address

This data is not merged with other data sources. The legal basis for processing is Art. 6 (1) lit. f GDPR (legitimate interest in the technically error-free presentation and optimisation of the website).

Cookies and Terminal Storage (TDDDG)

Our website uses exclusively strictly necessary cookies and local storage entries (e.g. shopping cart session, authentication tokens, Stripe security checks). These are exempt from consent under Section 25 (2) No. 2 TDDDG (German Telecommunications Telemedia Data Protection Act), as they are strictly necessary to provide the telemedia service (online shop) explicitly requested by the user.

No tracking cookies, marketing pixels or advertising cookies are set. For this reason our website does not require a cookie banner. The legal basis for processing the associated data is Art. 6 (1) lit. b or lit. f GDPR.

5. Hosting

This website is hosted by Hostinger International Ltd. When you visit our website, your personal data (e.g. IP addresses) is processed on Hostinger’s servers. Hostinger may also process data outside the EU/EEA.

The use of Hostinger is based on Art. 6 (1) lit. f GDPR. We have concluded a data processing agreement (DPA) with Hostinger.

Hostinger International Ltd., 61 Lordou Vironos Street, 6023 Larnaca, Cyprus.

6. Orders and Customer Accounts

To process your order, we collect the following data: first name, last name, email address, delivery address (street, postal code, city, country). The processing of this data is based on Art. 6 (1) lit. b GDPR (performance of a contract).

We store your order data for the duration of the statutory retention periods (generally 10 years pursuant to the German Commercial Code and Fiscal Code).

Customer Accounts and Database (Supabase)

For the registration and management of customer accounts as well as the storage of order and product data, we use Supabase Inc. (970 Toa Payoh North #07-04, Singapore 318992) as a database and authentication service. Your email address and encrypted password are stored with Supabase.

Data is processed exclusively on EU servers in Frankfurt (AWS region eu-central-1). A data processing agreement (DPA) pursuant to Art. 28 GDPR is in place with Supabase; any transfers to the parent company in the United States are safeguarded by EU Standard Contractual Clauses (SCC) pursuant to Art. 46 (2) lit. c GDPR.

The legal basis is Art. 6 (1) lit. b GDPR (performance of a contract).

7. Payment Processing (Stripe)

We use Stripe for payment processing. The provider is Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.

When you select a payment method (credit card, Apple Pay, Google Pay, Klarna or similar), your payment data is transmitted directly via the embedded Stripe.js script to Stripe. Stripe processes this data for payment processing and fraud prevention. The integration of Stripe.js is strictly necessary to perform the contract (Section 25 (2) No. 2 TDDDG).

A data processing agreement pursuant to Art. 28 GDPR is in place with Stripe. Any transfers to third countries are safeguarded by EU Standard Contractual Clauses.

The legal basis is Art. 6 (1) lit. b GDPR (performance of a contract). For details on Stripe’s privacy practices, see: stripe.com/privacy

8. Production and Shipping (Shirtigo)

Production (print-on-demand) and shipping of our textiles is handled by Shirtigo GmbH, Vitalistraße 202, 50827 Cologne, Germany. For order fulfilment, we transmit your name, delivery address and the items ordered to Shirtigo. A data processing agreement pursuant to Art. 28 GDPR is in place with Shirtigo; processing takes place exclusively within Germany.

The legal basis is Art. 6 (1) lit. b GDPR (performance of a contract).

9. Newsletter (Resend)

If you wish to receive the newsletter offered on the website, we require your email address. For sending newsletters and transactional emails (order confirmations, shipping notifications, password resets) we use Resend, operated by Resend (Delaware, Inc.), 2261 Market Street #5039, San Francisco, CA 94114, USA. Email delivery takes place via Resend’s EU region.

Double opt-in: After entering your email address you will receive a confirmation email containing a confirmation link. Only after clicking that link is your address added to the mailing list. To document your consent we store the time of sign-up, the time of confirmation and the IP address used in each case (Art. 7 (1) GDPR).

A data processing agreement pursuant to Art. 28 GDPR is in place with Resend. Any transfers to the USA are based on Standard Contractual Clauses (Art. 46 (2) lit. c GDPR) and the EU-US Data Privacy Framework.

The legal basis for newsletter delivery is Art. 6 (1) lit. a GDPR (consent), and for transactional emails Art. 6 (1) lit. b GDPR (performance of a contract). You may unsubscribe from the newsletter at any time via the unsubscribe link in every email. The lawfulness of previously completed data processing remains unaffected.

10. Web Analytics (Umami)

We use Umami, a privacy-friendly, self-hosted web analytics tool. Umami collects no personal data, uses no cookies and does not store full IP addresses (IPs are anonymised/hashed before storage). Only anonymised, aggregated usage data is collected (e.g. page views, time spent, referrer, device type).

Umami runs on our own server infrastructure (VPS at Hostinger, EU). No data is transmitted to third parties. As no information is stored on or read from your terminal device, the use of Umami is exempt from consent under Section 25 (2) No. 2 TDDDG. The legal basis is additionally Art. 6 (1) lit. f GDPR (legitimate interest in analysing and optimising our offering).

11. Bot Protection (Cloudflare Turnstile)

To protect our forms (e.g. newsletter sign-up, partner application, contact form) from automated abuse, we use Cloudflare Turnstile, a privacy-friendly CAPTCHA alternative. The provider is Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA.

When a protected form is loaded, technical data (including IP address, browser information and movement/interaction patterns) is transmitted to Cloudflare in order to distinguish human users from bots. No cookies are set in the process.

A data processing agreement pursuant to Art. 28 GDPR is in place with Cloudflare. Transfers to the USA are based on Standard Contractual Clauses (Art. 46 (2) lit. c GDPR). The legal basis is Art. 6 (1) lit. f GDPR (legitimate interest in protecting against spam and abuse).

12. Product Reviews

You have the option of submitting product reviews on our website. In doing so, we collect your name and email address. The email address is not publicly displayed and is used solely for verification. Reviews are moderated before publication.

The legal basis is Art. 6 (1) lit. f GDPR (legitimate interest in authentic product reviews).

13. SSL/TLS Encryption

This site uses SSL/TLS encryption for security purposes and to protect the transmission of confidential content, such as orders or enquiries. An encrypted connection can be recognised by the browser’s address bar changing from “http://” to “https://”.

14. Updates to This Privacy Policy

This privacy policy is currently valid as of April 2026. Due to the further development of our website or changes in legal or regulatory requirements, it may become necessary to amend this privacy policy.